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DETAILED ACTION 

This action is in response to the papers filed 1/03/2008. Claims 1-26 were 
received for consideration. 

Response to arguments 

Applicant's arguments with respect to claims have been considered but are moot 
in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

Claims 1,4-9, 12, 15-20 23, and 25 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kair (US 7,243,148) in view of Bellemore (5,944,825). 

With respect to claim 1 , 12, 23 and 25, Kair teaches the method for providing 
automated tracking of security vulnerabilities, comprising: using a computer device to 
perform a security vulnerability assessment on a system (see abstract); detecting the 
presence of a security vulnerability in the system; and responsive to detecting the 
presence of the security vulnerability (see column 13 lines 4-20);storing data obtained 
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from the security vulnerability assessment in a security vulnerabilities database (see 
column 13 lines 4-20 and column 17 lines 27-38); determining using a computer, a 
security vulnerability score based on a plurality of vulnerability factors identified by the 
vulnerability assessment (see figure 9-11,14 and column 62 line 3 - column 66 line 
19). 

Kair fails to explicitly disclose determining a time to fix a security vulnerability 
identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score. 

Bellemore discloses a method of assessing a particular host for security 
vulnerabilities in which he teaches determining a time to fix a security vulnerability 
identified by the security vulnerability assessment of the system based on the 
determined security vulnerability score (see Bellemore column 5, lines 16-34). It would 
have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains to have given an allotted time for fixing 
the vulnerability before disabling will occur to protect the system (i.e. password 
disabling)(see Bellemore column 5, lines 16-34). Therefore one would have been 
motivated to have set a time limit for security vulnerability to be fixed to increase the 
security of the system 

With respect to claim 4 and 15, Todd discloses the method of claim 1 further 
comprising determining an IP address associated with the security vulnerability (See 
Kair figure 10 and column 70 lines 28-43) 
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With respect to claim 5 and 16, Todd discloses the method of claim 4 further 
comprising entering the IP address and a description of the detected security 
vulnerability in a tracking database. (See Kair column 70 lines 28-60) 

With respect to claim 6 and 17, determining delinquent security vulnerabilities 
based upon the determined time to fix the vulnerability detected by the security 
vulnerability assessment (see Bellemore column 5, lines 16-34). 

With respect to claim 7 and 18, Soles et al. discloses the method of claim 6 
further comprising providing notification of determined delinquencies (see Kair column 
69 line 35 - column 72 line 56). 

With respect to claim 8 and 19, re-running a scan profile when notification is 
received that the security vulnerability has been fixed (See Keir column 13 lines 4-35 
and column 69 lines 44-56). 

With respect to claim 9 and 20, determining whether the security vulnerability still 
exists and archiving records associated with the security vulnerability when the security 
vulnerability does not exist (see Kair column 69 line 35 - column 72 line 56). 

Claims 2, 3, 10, 11, 13, 14, 21, 22, 24, and 26 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Kair (US 7,243,148) in view of Bellemore (5,944,825) 
in further view of Dahlstrom et al (2004/0006704). Kair and Ballemore do not teach with 
respect to claim 2 and 13 determining the security vulnerability factor further comprises 
measuring the frequency the identified security vulnerability occurs in the system 
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Dahlstrom teaches determining the security vulnerability factor further comprises 
measuring the frequency the identified security vulnerability occurs in the system (see 
Dahistrom paragraph 0042 and 0067). It would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject 
matter pertains to have kept track of the frequency a security vulnerability occurs to 
provide an overall summaries of vulnerability tracking within the organization or with 
respect to a particular product. The tracking information may also include statistical 
information such as means, medians, ranges, and deviations derived by tracking 
system (see paragraph 0042). Therefore one would have been motivated to have 
tracked the security vulnerability. 

With respect to claim 3 and 14, wherein determining the security vulnerability 
factor further comprises the criticality of an element in the system presenting the 
security vulnerability and a rating of the severity of the security vulnerability (See Kair 
column 62 lines 51-67) 

With respect to claim 10, 21 , 24 and 26, Soles et al. discloses a method for 
determining a criticality factor for a security vulnerability in a computer system, 
comprising: Entering in a database security vulnerabilities detected in the computer 
system during a security vulnerability assessment (see Kair column 13 lines 4-20 and 
column 17 lines 27-38). Measuring a frequency of occurrence for the detected security 
vulnerabilities, (see Dahistrom paragraph 0042 and 0067). Assigning a security 
vulnerability factor to a detected security vulnerability based upon the frequency of 
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occurrence of the security vulnerability in the system (see Kair column 62 line 3 - 
column 66 line 19) 

With respect to claim 1 1 and 22, Soles et al. discloses the method of claim 10, 
wherein the assigning a vulnerability factor further comprises considering a criticality of 
an element in the system presenting the vulnerability and a rating of the severity of the 
vulnerability within the system (See Kair column 62 lines 51-67). 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Devin Almeida whose telephone number is 571-270- 
1018. The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 
5:00 P.M. The examiner can also be reached on alternate Fridays from 7:30 A.M. to 
4:00 P.M. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
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you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Devin Almeida 
Patent Examiner 
4/08/08 



/Benjamin E Lanier/ 

Primary Examiner, Art Unit 2132 



